Users of digital services and utilities can be attacked in multiple ways. One well known type of attack is key logging which involves tracking or logging of keys struck on a keyboard. Computer hardware and software which accomplishes this task of key logging are called keyloggers.
Typically, keyloggers conduct key logging in a covert manner so users of the keyboard at a host computer are unaware their key stroke actions are being monitored. The keyloggers usually store the captured keystrokes in a file on the host computer which is accessed and transmitted in real time or at a later time to a hacker. Some of the more recent versions of keyloggers have become more sophisticated and only send a portion of the captured keystrokes relating to information identified as being particularly important, such as credit card or password information.
When initially installed most keyloggers will make an entry to the registry of the operating system in the host computer and are configured to always start when the operating system boots the host computer. When a user of the host computer presses a key on the keyboard, the keyboard driver receives the scan code corresponding to the key being pressed. There is a unique scan code corresponding to all the keys on the keyboard. This scan code is sent to the keyboard device driver which translates it to a virtual-key code, which is a device independent value defined by the system that identifies the purpose of the key. The keyboard driver then creates a message that includes the scan code, the virtual key and other keystroke information and then places the message in the system message queue. The message is then removed from the system message queue and is sent to the corresponding thread of the application. The thread's message loop removes the message and passes it to the appropriate window procedure of the application for processing.
The keylogger intercept the keystrokes either at the keyboard driver level by replacing the keyboard driver with a malicious keylogger driver, by adding filters between the keyboard driver and the system message queue, or by hooking the various windows API calls. Hooking happens when a keystroke message arrives in the message queue and the callback function associated with the keyloggers is called to record the keystroke. This message is then stored to a file which is transferred to the hacker's computer via e-mail, ftp or irc channel.
Various prior proposals have been made to detect and prevent keylogging activities by keyloggers. For example, one proposal involves using signature based schemes in anti-virus software to try to identify and block keyloggers. Unfortunately these schemes are ineffective against zero day and unknown keyloggers.
Other proposals to combat keyloggers involve the use of virtual keyboards. Unfortunately, even with virtual keyboards aggressive keyloggers are able to grab screenshots from the host computer on every mouse click to obtain key logging activities. Additionally, these keyloggers may use various form grabbers to grab the details entered in the form on the host computer and send these details to the hacker's computer. Form grabbing is done by exploiting the vulnerabilities in the web browser of the host computer.
Further proposals to prevent keylogging activities include encrypting keystrokes before they enters the system in the host computer system and only decrypting these keystrokes at the application level. This ensures a keylogger only captures encrypted key logging activity which cannot be decrypted without the key. Unfortunately, this technique is still ineffective against keyloggers which use form grabbers.